Please report security vulnerabilities privately.

• Subject: SECURITY: infocyph/intermix - <short title>
• Include:
  • affected version
  • impact summary
  • reproduction steps or PoC
  • suggested fix (if available)

Please do not open a public GitHub issue for unpatched vulnerabilities.

• ValueSerializer::decode() / ValueSerializer::unserialize() should only process trusted payloads.
• For untrusted transport channels, enable payload signing:

use Infocyph\InterMix\Serializer\ValueSerializer;

ValueSerializer::setPayloadSigningKey($_ENV['INTERMIX_SIGNING_KEY']);